Keeping Your Eye on Privacy
Mike Gurski,
Director: Bell Privacy Centre of Excellence
April, 2008
NY. NY.
1
Background
Privacy Threats
Canadian Privacy Law
Sample of University
Privacy Postures
Solutions for Privacy
Management
Background: How Soon We Forget
On August 1, 2006, USA Today reported that, "in the
past 18 months, colleges were the source of onethird to half of all publicly disclosed (privacy)
breaches. By reviewing 109 privacy breaches at 76
campuses, USA Today found that 70 percent of the
incidents involved hacking."
What does this tell us?
3
Date
Bell Restricted
U.S. to Ease Privacy Rules
Federal Education Department proposed new
regulations to clarify when Universities may release
confidential student information after Virginia Tech
shootings.
NY Times, March 25th, 2008
4
Date
Bell Restricted
Privacy Threat Models Reviewed
The ‘duh’ factor
The infinite information appetite
syndrome: including Hackers
The privacy policy riddle
The attacker models: and willing
participants in a University setting
Reporter, Marketer, Insider
The ‘balancing rights’ conundrum
The proportional response problem
The save us from disaster
misconception
Examining the Risks: Probabilities
and Outcomes
5
Date
Bell Restricted
A Special University Privacy Challenge
A Hot Bed of Early Adopters
Web 2.0/3.0
Social Networks
Software as a Service
6
Date
Bell Restricted
A Different Privacy Landscape in Canada?
Provincial OCIO bans instant messaging and file
sharing after privacy breaches in NFLD:
Memorial University CSO mirrors ban:
March 28, 2008 NFLD
Question: How is the University Responding?
Primary Focus on tactical PIA’s for BANNER and
Laptops
7
Date
Bell Restricted
The Canadian Particulars
Legislative Landscape: Fair Information Practices
Based
A Digression to GWU and Daniel Solove
A Privacy Maturity Model for Universities
The Role of Strategy as opposed to Tactics
The Role of Technology and New Tools
8
Date
Bell Restricted
Daniel Solove
A taxonomy of privacy attacks
A new way to think about privacy legislation and
technology
9
Date
Bell Restricted
Organization’s Privacy Management Maturity
Level 4
• Processes fully defined and audited
• Privacy management fully integrated with bus.
Integrated
Level 3
Standardized
Level 2
Focused
Level 1
10
Ad-Hoc
Date
• Processes, roles, and workflows are defined
•Privacy Management is broad based to serve strategic
goals
•Training ongoing
• Privacy processes are partially documented
• Minimal automation for privacy automation
• Training policy with event based training
• Privacy processes are not defined or documented
Bell Restricted
A Strategic Approach
•
11
The key steps:
– Build a business case for strategic investment in privacy
management
– Build Internal Privacy Management Capacity (reducing cost and
reliance on outside consultants)
– Use tools that allow non-specialists to manage privacy
– Set out a strategy and planning roadmap
– Develop a vulnerability assessment/gap analysis of personal
information management within the University
– Engage all levels in privacy management
– Reduce resources needed to manage privacy
– Provide a new focus on system design for personal information
banks
Date
Bell Restricted
New Tools
Compliance and Assessment Tools
Internal Capacity Workshops
Data repository for knowledge transfer
Training Curriculum geared to privacy management capacity
Enterprise Privacy Strategy/Roadmap
Privacy Enhancing Technologies
12
Date
Bell Restricted
Contact Information
Mike Gurski,
Director: Bell Privacy Centre of Excellence
905-751-4310
mike.gurski@bell.ca
14
Date
Bell Restricted